Capture Traffic on Css 11506
Hello,
I am trying to troubleshoot all traffic related to backend servers (behind CSS) from input and output interfaces of CSS, could anybody help my in capturing this kind of traffic? with support guide or commands?
Thanks,
Mo
You can use a CSS port as Span port. Connect a sniffer at that port and you will get the packets.
Command to use
setspan src_port number dest_port number copyBoth|copyTxOnly|copyRxOnly
More details at
http://cco.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.20/configuration/administration/guide/Intface.html#wp1099686
Syed Iftekhar Ahmed
Similar Messages
-
CSS 11506 page requests not directed properly
CSS 11506 sitting in front of mainframe and
two Windows 2003 servers
content rule3056gif
add service web1
add service web2
vip address 10.10.200.252
balance aca
url "/IMAGE_DIRECTORY_NAME/*.gif"
port 3056
active
A small number of page requests, that do not match the above pattern, are passing to the content servers web1 or web2 instead of the mainframe.
Any ideas appreciated.when a connection comes in and matches the rule above, a flow is created to switch all traffic between client and server.
If inside this same flow a new request comes in for a different content rule, the flow needs to be remapped to the new server.
This works fine except when the flow stays idle.
A flow that was idle can't be remapped.
All new requests will be sent to the current/last server even if the request does not match the rule.
The solution is to increase the idle timeout.
You can do this with a 'flow-timeout-multiplier'.
A large value will reduce a lot the chance to see the problem but it also means the amount of resources being used will increase as each flow will remain longer in memory.
It's up to you to find the right balance.
You can do a 'flow stat' from llama mode to see number of free flows and active flows.
I would say you start with a flow-timeout-multiplier of 100 and reduce or increase it if necessary.
Regards,
Gilles.
- please take a moment of your time to rate this answer. -
CSS 11506 / install Disclaimer page
We have a CSS 11506. Our public portal web servers are behind that CSS 11506. How to configure the CSS so that when people click on some external websites URLs on the public portal, there will be a disclaimer / exit page shows up first.
The CSS is only loadbalancing the http traffic to the public portal web servers and does not run an http stack itself. As such the CSS is incapapble of presnting any http content to the client . Any disclamer / exit pages would need to be programmed into the content of the page the public portal server presents to the client. There is not a way to accomplish this on the css.
-
Trying to understand SSL sticky with CSS 11506 / ssl-l4-fallback behavior
Dear experts
I have a CSS 11506 (v7.50) which is used to load balance several SSL-based sites. We use the following textbook content rule:
content mysite-SSL
vip address 10.0.0.1
add service s01
add service s02
add service s03
port 443
protocol tcp
advanced-balance ssl
application ssl
flow-timeout-multiplier 225
active
If I read the manual correctly, SSL L3 session IDs are going to be used till a flow is set up. Then the ssl-l4-fallback (it is enabled) directive kicks in and load balancing is done based on the source IP, destination port.
However, my stats show:
Sticky Statistics - SFM Slot 1, Subslot 1:
Total number of new sticky entries is 4937735
Total number of sticky table hits is 33476045
Total number of sticky rejects (no entry) is 0
Total number of sticky collision is 0
Total number of available sticky entries is 0
Total number of used sticky entries is 131071
Total L3 sticky entries are 131
Total L4 sticky entries are 0
Total SSL sticky entries are 130940
Total WAP sticky entries are 0
Total number of SIPCID sticky entries is 0
So, why don't I see anything in the L4 sticky entries?
Also, I would expect that once the ssl-l4-fallback kicks in, a client will be always directed to the same server (since the CSS uses now source IP, dest port for load balancing). However, if I close and start again my browser I hit a different server.
Your thoughts and suggestions are highly appreciated.
John.Hi Gilles
Thank you for your response. If I may ask the group for a final further clarification, so as to put this matter to rest. Since there are a lot of frames transmitted in either direction, I would expect the following to be happening and overriding the use of SSLv3 session IDs. Following is the section of the manual that seems to contradict what you say (and I see on the stats). Am I reading the manual wrong?
"Cisco Content Services Switch
Content Load-Balancing
Configuration Guide
Software Version 8.20
November 2006
page 11-14
Configuring SSL-Layer 4 Fallback
Insertion of the Layer 4 hash value into the sticky table occurs when more than
three frames are transmitted in either direction (client-to-server, server-to-client)
or if SSL version 2 is in use on the network. If either condition occurs, the CSS
inserts the Layer 4 hash value into the sticky table, overriding the further use of
the SSL version 3 session ID." -
Hi Guys,
I have a request to capture traffic on the LAN and deliver it to a virtual server in a ESX VMware enviroment.
Has anyone tried this?
The topology is this:
WAN--Gateway--LAN--6500s--portchannel---Server with ESX (virtual server)
Data coming from the WAN entering the LAN on a specific port, needs to be captured, and sent to a specific virtual server.
Do you think this is possible?
Thanks.
AdrianIf you put the ESX servers VMNIC port as destination it should be possible. You need to configure SPAN in Vmware though to send it to specific virtual machine. See if this link helps:
http://blogs.vmware.com/vsphere/2013/02/vsphere-5-1-vds-feature-enhancements-port-mirroring-part-3.html
Daniel Dib
CCIE #37149 -
Capturing traffic in cisco devices.
Hi all,
Id like to ask how I can capture traffic
in Cisco routers? Something like in Cisco PIX firewalls. It is very nice in Cisco PIXs when I can troubleshoot outgoing and incoming traffic throught some interface of PIX. With capture capability.
Any idea?
BR
jlTry to use: debug ip packet command with access-list parameter. Be careful! Do not start just debug ip packet, it can be very difficult for your router.
Example here: http://cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#debugtraffic -
SCE does not capture traffic snmp get-request
Hi,
We have SCE 2000 3.5.5.
I have a problem to capture some snmp traffic.
From a server To a router, our SCE captures traffic snmp "GET-NEXT-REQUEST". I can see these traffic in RDR (Transaction RDR and Subscriber RDR).
but, From the same server To the same router, "GET-REQUEST" doesn't.
I have checked these packets using sniffer software, and the difference of these is only "GET-NEXT-REQUEST" or "GET-REQUEST".
What could cause this situation??
Help me!Hi, Tom.
I have controlled that the port is 161 and these packets go through the same SCE.
I changed the service configuration as you said, but SCE didn't caputured the packets "snmp-get". I write the way that I have done.
1. Open "New Service Configuration"
2. Add 161 to "UDP ports for which flow should be opened on first packet"
3. "RDR Settings" - "Transaction Usage RDRs" - check "select ALL"
4. Apply a SCE device
5. command "Snmpget" from a pc
6. Control RDRs with tag "4042323000" --> No record from the pc
7. mib-browser from the same pc
8. Control RDRs with tag "4042323000" --> find the record from the pc
I hope i can resolve it soon. -
i'm looking at doing a etherchannel/channel group to CSS 11506 for greater bandwidth on the front of the CSS.. clinets>chan-group>vip>CSS >servers.
has anyone else done this?
reason i ask if this can be done is that the backup (ASR) CSS vir-peer shows as master(backup router) state. i didn't see any commands on css for etherchan, pagp or lacpHI,
etherchannel is not supported on the CSS from my knowledge. Furthermore you should avoide any spanningtree issue on the CSS. If you need more throughput than 1 GIG think about splitting the VIPs so that one CSS is active for the first half of the VIPS and the otherone for the 2nd part. Be aware that the Gateway on both VIP-pars need to be active on the correct box.
Kind Regards,
Joerg -
CSS 11506 - Locked up but cannot find why
I have had a CSS 11506 lock up with no access or activity. From the syslog logs I cannot see any error messages reporting a failure, just a hole. During the lockup I had no access to the equipment.
Any suggestions on how to investigate the lock up ?
Thank you in advance.
Roger.Hi Roger,
Based on the symptons I guess CSS did not save any core, can you double check.
I would say that we have no enough evidence to say what caused the outage, actually I would need to see the showtech and look for some evidence but I can tell you for sure that your code needs to be upgraded.
7.50 train is not getting new releases since new tains are 8.10 and 8.20 and also 7.50.103 is a early release on that train and many defects were addressed on newer codes, some of them related to crash and hung issues.
Hope it helps!! -
I configured VIP on my CSS 11506. I created a content rule and a service, which will be used by the content rule. Both have been activated. However, when I do "show service summary", the new service created is not coming up, it's showing down. I removed the service and re-created it and still down. My VIP won't work if the service remains down. Please help if you experience this before. Thanks so much !!
Collin,
You are the man! I removed th keepalive by typing "keepalive type none" initially it was "keepalive type tcp" and now the service is up and I can get to my VIP. Thanks so much! I appreciated. How should I give you a credit ? -
Unable to capture traffic with Ethanalyzer on N5K-5548
Version - 5.0(2)N2(1)
My understanding is that we need
1) Access-List defined, with statistics configured to get matched traffic onto control plane
2) Access-List applied to an interface, via command "ip port access-group mycap in"
3) ethanalyzer command, ex; "ethanalyzer local interface mgmt capture-filter "net 1.1.1.0/24" (also tried interfaces inbound-hi & inbound-low)
I see matches on the access-list, but not seeing anything captured.
What am I missing?
ip access-list mycap
statistics per-entry
10 permit ip any 1.1.1.0/24
20 permit ip 1.1.1.0/24 any
30 permit ip any anyjust fyi.. on a similar sidenote we are going to enchance the capability of capture filter to collect the necessary statistics via the following enhancement
CSCsz99277 - ethanalyzer capture filter broken
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsz99277 -
Capturing traffic...
Can someone walk me through the process needed to build a signature or modify an existing signature to capture certain traffic? I am interesting in being able to view the contents of traffic triggering Instant Messaging and IRC related signatures, so either a method for capuring traffic triggered by the existing signatures, or creating a signature to capture any traffic on 5190 or 6667 for example, would be sufficient.
This is a VMS server version 2.2 monitoring IDS 4.x sensors....
thanks.If they access it via a VPN then your ASA will show the connection to their VPN device and not the connections within that SSL VPN - those would all be encapsulated in the tunnel.
If they were accessing the remote server directly (not via a VPN) then yes you would see the server address in your "show conn" output.
I assume you use 10.10.10.1 as a made-up example as that private IP address would never be routed freely on the Internet - only within a private network or tunneled within a VPN. -
Hi,
I have an Customized Portal application which needs voice/video/authentication traffic to pass from inside natted server to outside...
Opening the required ports didnt help.
If I remove the access-list for inside network it works....
Can someonehelp to give the capture commands .... so that I could capture the traffic and get the required ports....
Or some-other means to get the required ports.....
ThanksHi
use this command
capture capture_name [access-list acl_id][buffer bytes] [ethernet-type type][interface name] [packet-length bytes]
to view
show capture [capture_name] [access-list acl_id] [detail] [dump]
For additional information check this link
http://www.cisco.com/en/US/docs/security/pix/pix62/command/reference/c.html#wpxref65943
HTH
Raj -
We just bought a 11506. I have a few questions
- One requirement we have is that I need to direct https web requests to the CSS public IP and then have it redirect that web request over tcp 80 to one of our internal web servers.
Do I need to purchase on SSL module for this ?
Can someone direct me to the support link for the 11506. Looking for setup and support docs.
Cheers
DaveIn order to do SSL offloading you need to buy SSL module CSS5-SSL-K9.
You can find lots of CSS config examples
http://www.cisco.com/en/US/products/hw/contnetw/ps792/prod_configuration_examples_list.html
& Supporting documents at
http://www.cisco.com/en/US/products/hw/contnetw/ps792/tsd_products_support_series_home.html
Syed Iftekhar Ahmed -
CSS 11506 running 08.20.2.01
Can you tell me if this will work?
keepalive type encrypt
keepalive method get
keepalive port xxxx
Specifically, what can I do for a layer 5 KAL for HTTPS in a service? I hate to compare these things but I know on an F5 I can do an https get.
These are 11506 running 08.20.2.01
Thanks for anything you can advise,You can definitely setup the CSS to perform a URI keep-alive over HTTPS.
keepalive type http encrypt
However, in order for this configuration to work properly your CSS must contain the SSL module as the service will need to be setup as a "type ssl-accel-backend". This will allow the CSS to encrypt the keep-alive request and decrypt the servers response using the cert/keys defined within the backend-server configuration within the ssl-proxy-list.
Does your CSS contain an SSL module?
- Jason
Maybe you are looking for
-
Formatting mySQL date in a dynamic field
Hi all.. I've seen many articles on here about how to INSERT dates to the mySQL table, but I need to know how to format it into MM/DD/YYYY when the form dynamically populates from an existing record. Just using a regular DW8 Recordset behavior for t
-
Report output as an email attachment
Hi , I am sending report output as email attachment by using 'mail recipient ' CLTR+ F7' option in alv list. But this is sending mail as pdf attachment. I want it as excel format. Is there any option to change type of attachment which sending mail?
-
Very urgent, no Transacctions Types possible to create Business Transaction
Hello, this question is very urgent, please I will be very pleased if anybody can helps me. When I want to create a Business Transaction, at CRMD_ORDER, I dont have any Transaction Type to choose to create the Business Transaction, so I can't create
-
How to retrieve form user name?
Hi ! If I catch from v$session module name (i.e. CEXCABMR form) how to get the name to ask user what is he/she doing on that form.... You know "CEXCABMR" is not a good name for them.... THX
-
Double-clicking an album no longer begins playback
Prior to this release of iTunes, double-clicking an album cover in album view would initiate playback of the entire album, queuing the all songs in "Up Next." This seems to be broken in 12.1, and clicking the "Play" symbol when the album is expanded